October 13, 2015 |

The Telecommunications (interception and access)  amendment (data retention) Act 2015 (the “Data Retention Act”) comes into force today.  The political fight is over.  The issue is now operation, compliance and regulation.

The Attorney General issued a media release providing:

 The Government welcomes the commencement of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 today.

Metadata is the basic building block in nearly every counter-terrorism, counter-espionage and organised and major crime investigation. It is also essential for the investigation of child abuse and child pornography offences, that are frequently carried out online, and other forms of organised crime.

With the expiry of the initial six month implementation period, telecommunications companies can apply for an extension of up to 18 months (April 2017) to comply with the legislation.  

The Government continues to work constructively with the industry to achieve full compliance by April 2017.

Over $131 million has been committed by the Government to contribute to the upfront capital costs of the scheme.

Telecommunications companies have always retained metadata and law enforcement agencies have been permitted access to these records for decades, however industry practices have varied. The new scheme implements a uniform standard.

The Data Retention Act standardises the timeframe and type of data held giving law enforcement and national security agencies consistent information of the kind they need to keep the community safe.

The Act also introduced new and strengthened safeguard arrangements, in particular by significantly reducing the number of agencies that can access metadata.

The Attorney-General’s Department is finalising details of a grants program and it is expected that payments will be made early next year, well before April 2017.

The Government will continue to work closely with industry; the focus will be on implementation rather than enforcement.

He has been on the AM program stating

MICHAEL BRISSENDEN:            Senator Brandis, good morning.

ATTORNEY-GENERAL:              Good morning Michael.

MICHAEL BRISSENDEN:            As you have heard there, many of the ISP’s don’t seem to be ready. There’s still a lot of confusion about what sort of metadata they are meant to retain. Have you explained this properly to them?

ATTORNEY-GENERAL:              It’s been very thoroughly discussed with the industry. There is an Implementation Working Group comprising the industry leaders, industry association and the Attorney-General’s Department. We are working closely with industry to ensure that there is full compliance with the obligation. There is an 18 month period commencing from today during which companies which are not compliant as of today, which is the six months after the legislation came into force, are able to apply for an extension of their compliance obligation. Those applications will be treated generously by my Department. Our objective here is to ensure that there is compliance but as you said in your intro, we are more concerned with implementation than law enforcement.

MICHAEL BRISSENDEN:            How do you explain this confusion then because clearly there are some out there who don’t know what they are supposed to keep. What are they supposed to keep?

ATTORNEY-GENERAL:              I think that the obligation is expressed very clearly in the legislation. If there is confusion among some members of the industry then I suspect that is a question better directed to them…

MICHAEL BRISSENDEN:            Can you spell out what they are supposed to keep though?

ATTORNEY-GENERAL:              The obligation is to retain metadata for two years and the legislation sets out a uniform standard. One of the problems, Michael, that law enforcement and security agencies have had in the past, is that there has been no uniformity across industry in terms of metadata retention practices and one of the key objectives of the legislation was to create a uniform standard. Now different businesses and industry participants will need to adjust, in some cases will need to adjust their business practices to be compliant with that uniform standard.

MICHAEL BRISSENDEN:            Okay but one of the problems seems to be what exactly it is that they are supposed to keep, can you…

ATTORNEY-GENERAL:              That is set out, with particularity, in the legislation.

MICHAEL BRISSENDEN:            And what is it?

ATTORNEY-GENERAL:              What is required is that metadata, that is information about a communication as opposed to the content of the communication be retained by industry participants. There is a detailed technical specification which is set out in the legislation.

MICHAEL BRISSENDEN:            Well AM has heard, as you heard in that story, from a small ISP in a regional centre who says this is putting too much of a burden on his business. Do you need to provide more support for smaller ISP’s in particular.

ATTORNEY-GENERAL:              Well we are providing support and that support is directed primarily to the smaller ISP’s. The Government is supporting the industry to the tune of $131 million to assist it in, and to assist industry participants to adjust their business practices to be compliant with the legislation.

MICHAEL BRISSENDEN:            That’s understood but it doesn’t seem it’s enough for some of them.

ATTORNEY-GENERAL:              Well there are many players in this industry, Michael. As you would understand, this is an important national security obligation. We do, frankly, expect the industry to assume a large part of this burden but the government is assisting, particularly the smaller industry participants by providing, as I said, $131 million to enable them to adjust their business practices to be compliant.

MICHAEL BRISSENDEN:            It is still going to cost consumers though, isn’t it because presumably, that $131 million isn’t going to cover all the costs and extra costs will be passed on.

ATTORNEY-GENERAL:              Michael, there have been many discussions between my Department and industry over more than a year now and we judge that the $131 million that the Commonwealth is providing is a fair contribution to the reasonable cost of being compliant. By the way, many industry participants are already compliant because many industry participants already retain metadata for two years, or in some cases more. As I said earlier, the purpose here is to establish a uniform standard that all can meet.

MICHAEL BRISSENDEN:            Okay on the counter-terrorism laws. Are you personally comfortable with 14 year olds being detained without charge?

ATTORNEY-GENERAL:              I am. I think what we saw with the event that occurred in Parramatta the Friday before last with a 15 year old boy who had been inspired to perform an horrendous terrorist act, an act of murder, demonstrates that unfortunately the reach of ISIL and ISIL surrogates and agents in Australia is extending to younger and younger people. This is a very, very serious problem of course but I think the age of the person concerned last Friday week demonstrates that 14 is not too young an age for an order of this kind to be made.

MICHAEL BRISSENDEN:            What happens to them while they are detained? Do police, for instance, have powers to question the individuals?

ATTORNEY-GENERAL:              In the legislation that I will be introducing in the next sitting fortnight there are particular safeguards in relation to minors under the age of 18. At the moment, by the way, the minimum age is 16. There are no particular protections for minors in the 16 and 17 year old age category but under the legislation there will be particular protections and safeguards for minors in the 14 to 17 age category.

MICHAEL BRISSENDEN:            And what will they be?

ATTORNEY-GENERAL:              They will be various measures that will limit the capacity of police to question or deal with minors in a way that is regarded, given the age of the person, to be unreasonable and that will be, when the legislation is public, published, you will see the detail of those particular safeguards.

MICHAEL BRISSENDEN:            New South Wales, as we have heard, wants to be able to hold someone without charge for 28 days. Are there any legal impediments to that and could that in fact be a breach of the constitution?

ATTORNEY-GENERAL:              Well there are no legal impediments for the New South Wales government to legislate in that respect and of course the states have their own control order and preventative detention order regimes as well. But there is a legal impediment, I’m advised, for the Commonwealth to do so and that is because detention without charge could be seen, for an unreasonably long period, could be seen to be a form of executive detention and therefore a violation of Chapter 3 of the Constitution which prevents the executive government from exercising a judicial power.

MICHAEL BRISSENDEN:            So they can basically go it alone, can they?

ATTORNEY-GENERAL:              Well, the New South Wales government, subject to, and I don’t profess to be an expert on the New South Wales State Constitution, but that constitution is able to be amended by the New South Wales State Parliament. But certainly from the Commonwealth’s point of view we have to establish the right period so that there is sufficient flexibility and capacity for the police to meet their operational needs while at the same time avoiding what could be regarded as punitive executive detention. Punitive detention, under Commonwealth law, can only be ordered by a court.

MICHAEL BRISSENDEN:            Okay, just finally on the Commonwealth legislation then. That’s set for introduction soon. When is that going to be and will there be anything else in it that we don’t know about?

ATTORNEY-GENERAL:              When you say we don’t know about it, I first foreshadowed the fifth trance of Commonwealth legislation at the Countering Violent Extremism Summit in Sydney on the 12th of June. The final draft of the bill was shared with the New South Wales and other state and territory government’s on the 2nd of September so the point I’d make to you, Michael, is that this has been a matter of collaboration and discussion with all of the state and territory government’s, including the New South Wales Government, for some months now. There is also, under the COAG process, a working group that has been looking, since the beginning of this year, at counter-terrorism laws and the bill that I will be introducing in the next sitting fortnight after this, in other words in about three or four weeks hence, picks up a number of the recommendations of that COAG working party as well.

MICHAEL BRISSENDEN:            Okay, Senator Brandis thank you very much for joining us.

ATTORNEY-GENERAL:              Thank you Michael.

The coverage continued on the World Today with Communications Alliance says no Government money has been given to ISPs to its knowledge which provides:

ELEANOR HALL: Australia’s Attorney-General has pointed to a $131 million pot of money that his department has set aside to help Internet Service Providers comply with the Government’s mandatory data retention laws, which come into force today.

But the Communications Alliance, which represents many of the nation’s ISPs, say to its knowledge not a dollar of the money, has yet been spent.

The majority of internet service providers say they’ve already missed today’s deadline on metadata, and a Greens MP is describing the retention regime rollout as a “debacle”.

Will Ockenden has our reports.

WILL OCKENDEN: Long before the metadata retention bill passed both houses of parliament in late March, there were many who said the scheme’s rollout would be long and complicated.

So it came as no surprise to the Communication Alliance’s John Stanton that the vast majority of ISPs missed today’s deadline to be ready to retain data.

JOHN STANTON: Not surprisingly, there’s a pretty low state of readiness for the data retention regime that comes into force today, with many service providers still confused about exactly what’s required of them and the vast majority of them not able to be compliant on day one.

WILL OCKENDEN: But the Attorney-General George Brandis has this morning defended the regime’s rollout, saying ISPs won’t be penalised or prosecuted for not being ready.

GEORGE BRANDIS: We are working closely with industry to ensure that there is full compliance with the obligation. There is an 18 month period commencing from today during which companies which are not compliant as of today, which is six months after the legislation came into force, are able to apply for an extension of their compliance obligation.

WILL OCKENDEN: Senator Brandis points to a large pool of money which he says is helping ISPs get ready

GEORGE BRANDIS: The Government is assisting, particularly the smaller industry participants, by providing, as I said, $131 million to enable them to adjust their business practices to be compliant.

WILL OCKENDEN: But the money on offer to ISPs will not meet all their costs for implementing the Government’s mandatory scheme.

A PricewaterhouseCoopers report, which was commissioned by the Attorney-General’s Department, found the upfront cost of the metadata retention would be between $188.8 and $319 million.

Senator Brandis again.

GEORGE BRANDIS: This is an important national security obligation. We do frankly expect the industry to assume a large part of this burden.

WILL OCKENDEN: And while most of the money has been earmarked for ISPs, according to the Communication Alliance’s John Stanton none of it has yet been spent.

(to John Stanton)

There’s been more than $100 million set aside for this, how much has been paid out to ISPs?

JOHN STANTON: Zero as far as I know. The Government has come up with a draft financial model and is going to consult with industry on that I believe later this month.

Service providers are having to commit to investment decisions to implement the processes and the systems to meet their requirements without knowing how much of that spending will remain unfunded.

WILL OCKENDEN: So how could it be that we’re six months down the line from when it received royal ascent, 84 per cent aren’t ready or complaint, and there’s still a huge pot of money sitting there in the Federal Government coffers which would probably help ISPs significantly to get ready for what they’ve been asked to by the Government.

JOHN STANTON: Well that’s a very good question; we certainly think the money ought to have been apportioned by now. Really we shouldn’t be six months down the track with this level of uncertainty about that aspect of the scheme.

WILL OCKENDEN: The level of uncertainty is highlighted by a survey from the Communications Alliance, which has found that two thirds of ISPs either “not confident” or only “somewhat confident” that they fully understand what metadata the Federal Government wants them to collect.

But Attorney-General George Brandis says it should be clear.

GEORGE BRANDIS: The obligation is expressed very clearly in the legislation. If there is confusion among some members of the industry then I suspect that’s a question better directed to them.

WILL OCKENDEN: The World Today has spoken to several people in the telecommunications industry, and they say they’re worried that their interpretation of what the Government wants, is different from what the Government thinks it wants

They say the documents they’ve been provided are not a technical specification, and are vague and hard to implement technically.

Greens Senator Scott Ludlham, who’s long been a critic of the legislation, has called the metadata retention rollout a debacle.

SCOTT LUDLHAM: My overall concerns are we’ve got a scheme that is costing in excess of $300 million that’s formidably difficult for industry to implement, that may bankrupt smaller ISPs that can be defeated in about 60 seconds by downloading an app that costs less than a dollar.

ELEANOR HALL: That’s Greens Senator Scott Ludlham ending that report from Will Ockenden.

 Ben Grub, the Fairfax technology writer, has provided a practical overview of the legislation titled Metadata retention changes explained which provides:

Starting on Tuesday, October 13, Australian telcos such as Telstra and Optus are required to start storing metadata logs pertaining to people’s email, internet, mobile and landline use for up to two years.

While other countries have overturned legislation dealing with data retention because it has been ruled unconstitutional, Canberra continues to push ahead with its scheme despite concerns from civil liberties and internet rights groups.

What does it mean to the average law-abiding citizen?

Who you called, who called you, both parties’ location and the duration of the calls will be stored for two years, and potentially accessed without a warrant, meaning there is no judicial oversight by a magistrate.

It also applies to email but not to which websites you access. Only the IP address allocated to your modem by your internet provider will be stored so that law enforcement can figure out suspects’ involvement in cyber attacks, child exploitation, terrorism activity and other crimes.

There were 563,012 disclosures in the 2013-14 financial year relating to more than 330,000 authorisations by government agencies. Whether your records were accessed is a secret, even if it was discovered you hadn’t committed a crime.

Can data retention be circumvented?

Yes. With the use of what’s called a virtual private network, or VPN, people are able to prevent their internet metadata being stored by their internet service provider (ISP).

A VPN encrypts all internet traffic between a user and the server that is providing them with internet access.

VPNs vary in their cost but can be bought for less than $5 a month. The Tor Browser, which provides anonymity via a different way, is free but can be very slow, since it relies on an encrypted communications network run by volunteers interested in privacy.

Camouflaging phone access is harder, requiring the use of a service overseas that isn’t subject to data retention legislation. The use of a voice-over IP (VoIP) provider like Skype in combination with a VPN is possible, although law enforcement agencies can still access the data stored on Skype’s servers with a warrant and assistance from US police, which is why some people sign up as “Mickey Mouse” and use gift cards bought with cash at newsagents to not tie their identity to the account.

Some have argued storing every citizens’ metadata will probably result in more innocent people having all their data stored rather than hardcore criminals, who are known to use VPNs.

What has this got to do with piracy?

The government is not after those who illicitly downloaded movies and TV shows, according to former communications minister and now Prime Minister Malcolm Turnbull.

But requiring internet providers to store IP address will mean copyright holders will be able to use the courts to try to obtain access to this data. They could then use this to sue individuals for copyright infringement.

Will there be an ‘internet tax’?

Storing large volumes of customer metadata for two years will require data warehouses, which some telcos, like iiNet, have estimated would cost $60 million to set up.

These estimations were based on also storing URLs customers accessed, which will not be required. The cost is likely to be less, but by how much is unknown.

The government has committed to paying $131 million in set-up costs with taxpayers’ money. Other costs – such as power for data centres – if required, may have to be passed on to consumers.

Either way, costs will end up coming from Australian taxpayers directly or indirectly. Some have labelled this a surveillance tax.

Telcos say they are yet to see any of the money the government has committed, and some lawyers say smaller ISPs could be put out of business because of the new laws.

Where will the data be stored and will it be secured properly?

Questions remain over what obligations will be placed on telcos to secure data properly.

There is no data breach notification scheme in Australia, so if data is hacked, your internet or phone company does not have to tell you about it.

Fines of up to $1.1 million can apply but that’s only if the federal Privacy Commissioner investigates a breach.

New legislation that will deal with the storage of the data is due to be introduced before the end of the year.

When will the legislation become effective?

From Tuesday, October 13. But even then telcos can delay the start date by using what’s known as a data retention implementation plan, or DRIP.

A DRIP allows a service provider to delay implementing data retention for up to 18 months if the Attorney-General’s Department approves the delay.

Are there any good safeguards introduced by the bill?

Yes. Previously, local councils, the RSPCA, Australia Post and other agencies not typically considered law enforcement authorities could access your metadata. They will no longer be able to access it without approval from the Attorney-General. The Attorney-General will be required to consider a range of criteria before granting approval, including whether the agency seeking access to the data is subject to a binding privacy scheme.

From October 13, the Commonwealth Ombudsman will also have oversight of metadata access but this is only after metadata requests are made.

Does data retention work?

When Germany introduced mandatory data retention there was a 0.006 percent increase in crime clearance rates.

Germany and other countries later ruled data retention unconstitutional, but the Australian government says it has taken into account suggestions made by courts overseas that have overturned the legislation.

There have also been questionable alleged uses of metadata in Australia, including by Queensland Police, who reportedly used it to see whether cadets were faking sick days or sleeping with one another (against police rules).

 Already an extension has been granted to Telstra as explained in Telstra reveals data retention extension which provides:

Australia’s biggest telco given another 18 months to comply.

Telstra has revealed the Attorney-General’s Department approved the telco’s request for an extension to the compliance deadline for its data retention obligations.

Australia’s telecommunications and carriage service providers were by today required to comply with new data retention obligations – and store the non-content data of all customers for two years – or risk penalties.

However, a survey by telco industry body the Communications Alliance revealed most of its surveyed members did not meet today’s compliance deadline.

A large percentage of ISPs that had submitted a request for an extension – a so-called data retention implementation plan (DRIP) outlining plans for future adherence – complained they hadn’t yet heard back from the AGD on whether their request had been approved.

The maximum extension allowed is 18 months, giving successful applications until April 12 2017 to comply.

Around 80 percent of Comms Alliance member respondents said they had either already submitted a DRIP or planned to soon.

But as many as 76 percent of those that said they’d asked for an extension claimed to have had no response from the department on the status of the request.

The AGD has refused to detail how many providers were compliant as of the scheme’s first day of operation.

It similarly refused to detail how many have been granted extensions or exemptions.

However, Telstra chair Catherine Livingstone today revealed Telstra had submitted a DRIP and had its plan approved by the Attorney-General’s Department.

She said she believed Telstra was “one of the few” to have successfully had their extension plan approved.

Head of peak internet user organisation Internet Australia, Laurie Patton, said if Australia’s biggest telco was unable to comply with its data retention obligations by the deadline, smaller companies had no hope.

“Telstra was one of the few industry organisations that was consulted by the government when they were drafting this flawed legislation,” he said.

“Telstra could put 20 people in a room for three months to work on this and nobody would notice they’d gone. Whereas small ISPs don’t have the resources to undertake the complex task of compiling an implementation plan.

“If Telstra is finding it difficult, think about the position of a small ISP with limited staff who is already flat out servicing its existing customers.”

One owner of a regional ISP today told AM radio his data retention plan had reached 400 pages, but was nowhere near finished.

He said the process was eating into his business’ profitabiliy.

“The amount of time we’re spending on it is so high that it’s becoming an unviable thing to continue on. We have to look after our customers and keep working,” the ISP owner told AM.

Communications Alliance CEO John Stanton said it was “no surprise” many service providers wouldn’t be compliant by the due date.

“Many of these … are still waiting to hear from government as to whether their implementation place have been approved,” Stanton said.

“The onus remains on government to work constructively with industry – and not rush to enforcement – over coming months to help providers come into line with what is proving to be a very challenging and somewhat confusing impost on the industry.”

Telstra has claimed to have its data retention plan approved as reported in Telstra: We could be the only Australian telco with an approved data retention plan.

There has been no shortage of negative coverage of the Data Retention Laws such as  Telcos not ready, don’t understand data retention: Comms Alliance and Turnbull’s mutual respect campaign to kick off with taking away privacy.

The real problem is the lack of mandatory data breach notification legislation and a very ineffective regulator in the Privacy Commissioner.  Even with enhanced powers the Privacy Commissioner has been a timid and largely ineffectual regulator.  As a result there is a very poor compliance of privacy laws.   This is a policy failing, made all the more stark as the digitisation of the economy is occurring at an ever rapid pace.




Leave a Reply

Verified by MonsterInsights